From 5a36f31d0194d5e24bd29ea0fa77fd1887fc7070 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Dec 2025 12:50:58 +0100
Subject: [PATCH 1/5] align Ansible remediation with Bash regarding usage of
 authselect

---
 .../ansible/shared.yml                                    | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
index 6442dde33977..3e2df58ffd2b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
@@ -6,9 +6,6 @@
 
 {{% if 'ubuntu' in product or 'debian' in product %}}
 {{%- set pam_config_paths = "['/etc/pam.d/common-password', '/etc/pam.d/common-auth', '/etc/pam.d/common-account', '/etc/pam.d/common-session', '/etc/pam.d/common-session-noninteractive']" %}}
-{{% else %}}
-{{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
-{{% endif %}}
 
 - name: '{{{ rule_title }}} - Remove remember option from pam_unix.so'
   ansible.builtin.replace:
@@ -16,3 +13,8 @@
     regexp: '(\s+pam_unix\.so.*)\s+remember=\d+\b(.*)'
     replace: '\1\2'
   loop: {{{ pam_config_paths }}}
+{{% else %}}
+{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '.*', 'pam_unix.so', 'remember', rule_title=rule_title) }}}
+
+{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '.*', 'pam_unix.so', 'remember', rule_title=rule_title) }}}
+{{% endif %}}

From 5dc23456aad873b6dd00bb8e4acd3e54e2a214a0 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Dec 2025 12:51:39 +0100
Subject: [PATCH 2/5] be more specific in Bash remediation and do not rely on
 default value in macro

---
 .../accounts_password_pam_unix_no_remember/bash/shared.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
index d26921328504..03336f17073a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
@@ -18,10 +18,10 @@ DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 # RHEL-based systems: Use authselect-aware approach
 if [ -f /usr/bin/authselect ]; then
-    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}}
-    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '.*', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '.*', 'pam_unix.so', 'remember') }}}
 else
-    {{{ bash_remove_pam_module_option('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}}
-    {{{ bash_remove_pam_module_option('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option('/etc/pam.d/system-auth', 'password', '.*', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option('/etc/pam.d/password-auth', 'password', '.*', 'pam_unix.so', 'remember') }}}
 fi
 {{% endif %}}

From 53ad425c42b61122cdec9ab4c476544ce3ed7df1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Dec 2025 12:52:18 +0100
Subject: [PATCH 3/5] RHEL test scenarios: cover cases when Authselect is
 present

make scenarios applicable only for RHEL and Fedora
---
 .../tests/no_remember_rhel.pass.sh            | 22 +++++++++++++------
 .../tests/remember_commented_rhel.pass.sh     | 22 +++++++++++++------
 .../remember_present_password_auth.fail.sh    | 15 +++++++++----
 .../remember_present_system_auth.fail.sh      | 15 +++++++++----
 4 files changed, 52 insertions(+), 22 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh
index 92ce2278b8e8..949f26890448 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh
@@ -1,16 +1,24 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# platform = multi_platform_rhel,multi_platform_fedora
 # packages = pam
 
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
 # Ensure system-auth and password-auth don't have remember option
-sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/system-auth
-sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/password-auth
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' $CUSTOM_SYSTEM_AUTH
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' $CUSTOM_PASSWORD_AUTH
 
 # Add a clean pam_unix.so line without remember if it doesn't exist
-if ! grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then
-    echo "password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok" >> /etc/pam.d/system-auth
+if ! grep -q "^password.*pam_unix\.so" $CUSTOM_SYSTEM_AUTH; then
+    echo "password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok" >> $CUSTOM_SYSTEM_AUTH
 fi
 
-if ! grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then
-    echo "password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok" >> /etc/pam.d/password-auth
+if ! grep -q "^password.*pam_unix\.so" $CUSTOM_PASSWORD_AUTH; then
+    echo "password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok" >> $CUSTOM_PASSWORD_AUTH
 fi
+
+authselect apply-changes -b
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh
index f3cb36505d14..b932a58f5ddc 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh
@@ -1,15 +1,23 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# platform = multi_platform_rhel,multi_platform_fedora
 # packages = pam
 
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
 # Commented lines should pass (comments are ignored)
-sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/system-auth
-sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/password-auth
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' $CUSTOM_SYSTEM_AUTH
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' $CUSTOM_PASSWORD_AUTH
 
 # Add commented line with remember (should be ignored)
-echo "# password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth
-echo "# password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth
+echo "# password    sufficient    pam_unix.so sha512 shadow remember=5" >> $CUSTOM_SYSTEM_AUTH
+echo "# password    sufficient    pam_unix.so sha512 shadow remember=5" >> $CUSTOM_PASSWORD_AUTH
 
 # Add clean active lines without remember
-echo "password    sufficient    pam_unix.so sha512 shadow" >> /etc/pam.d/system-auth
-echo "password    sufficient    pam_unix.so sha512 shadow" >> /etc/pam.d/password-auth
+echo "password    sufficient    pam_unix.so sha512 shadow" >> $CUSTOM_SYSTEM_AUTH
+echo "password    sufficient    pam_unix.so sha512 shadow" >> $CUSTOM_PASSWORD_AUTH
+
+authselect apply-changes -b
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh
index 67d6ca691e2f..47c0af6bbf46 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh
@@ -1,12 +1,19 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# platform = multi_platform_rhel,multi_platform_fedora
 # packages = pam
 
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+
 # Add remember option to password-auth (should fail)
-if grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then
+if grep -q "^password.*pam_unix\.so" $CUSTOM_PASSWORD_AUTH; then
     # If pam_unix.so line exists, add remember option
-    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/password-auth
+    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' $CUSTOM_PASSWORD_AUTH
 else
     # If no pam_unix.so line exists, add one with remember
-    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth
+    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> $CUSTOM_PASSWORD_AUTH
 fi
+
+authselect apply-changes -b
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh
index 1914e2484f41..495365c4e3dd 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh
@@ -1,12 +1,19 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# platform = multi_platform_rhel,multi_platform_fedora
 # packages = pam
 
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
 # Add remember option to system-auth (should fail)
-if grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then
+if grep -q "^password.*pam_unix\.so" $CUSTOM_SYSTEM_AUTH; then
     # If pam_unix.so line exists, add remember option
-    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/system-auth
+    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' $CUSTOM_SYSTEM_AUTH
 else
     # If no pam_unix.so line exists, add one with remember
-    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth
+    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> $CUSTOM_SYSTEM_AUTH
 fi
+
+authselect apply-changes -b

From 38c304d39f3dc58dc0680d94bceafabd7ca79c8f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 12 Dec 2025 09:58:50 +0100
Subject: [PATCH 4/5] rename "rhel"  test scenarios and make them applicable to
 more platforms

---
 ...{no_remember_rhel.pass.sh => no_remember_authselect.pass.sh} | 2 +-
 ...ented_rhel.pass.sh => remember_commented_authselect.pass.sh} | 2 +-
 .../tests/remember_present_password_auth.fail.sh                | 2 +-
 .../tests/remember_present_system_auth.fail.sh                  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)
 rename linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/{no_remember_rhel.pass.sh => no_remember_authselect.pass.sh} (90%)
 rename linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/{remember_commented_rhel.pass.sh => remember_commented_authselect.pass.sh} (90%)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_authselect.pass.sh
similarity index 90%
rename from linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_authselect.pass.sh
index 949f26890448..e5e4a502d37c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_authselect.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
 # packages = pam
 
 authselect create-profile hardening -b sssd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_authselect.pass.sh
similarity index 90%
rename from linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_authselect.pass.sh
index b932a58f5ddc..09c4d09963b2 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_authselect.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
 # packages = pam
 
 authselect create-profile hardening -b sssd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh
index 47c0af6bbf46..4875c791a3da 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
 # packages = pam
 
 authselect create-profile hardening -b sssd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh
index 495365c4e3dd..5e6338858a89 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
 # packages = pam
 
 authselect create-profile hardening -b sssd

From 46e2ec0b20727d3cdd14b703e34ef40d349d0489 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 12 Dec 2025 11:14:10 +0100
Subject: [PATCH 5/5] Ansible remediation: do not specify regex for PAM
 control, it is handled unexpectedly and not needed here

---
 .../accounts_password_pam_unix_no_remember/ansible/shared.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
index 3e2df58ffd2b..91f0ee17e1d4 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
@@ -14,7 +14,7 @@
     replace: '\1\2'
   loop: {{{ pam_config_paths }}}
 {{% else %}}
-{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '.*', 'pam_unix.so', 'remember', rule_title=rule_title) }}}
+{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember', rule_title=rule_title) }}}
 
-{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '.*', 'pam_unix.so', 'remember', rule_title=rule_title) }}}
+{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember', rule_title=rule_title) }}}
 {{% endif %}}